Over the years there have been numerous instances of cybersecurity breaches to water industry operational technologies (OT).
These breaches could have led to a range of challenges and disasters, particularly due to the widespread threat a successful breach could pose to a population. In this article, we outline some examples of recent breaches and detail what water infrastructure organisations can do to minimise their risk.
Recent water infrastructure breaches
The latest case to occur at Oldsmar, Florida in the United States could have been the closest to true disaster, with a malicious party gaining access to systems and successfully releasing dangerous amounts of sodium hydroxide from a water treatment facility. Luckily, harm was avoided by a plant worker who just happened to look at the monitor the moment the breach was happening. He saw the mouse pointer move around and change the level of sodium hydroxide while not touching the mouse himself. He quickly reversed the change to avoid a disaster and raised the alarm about this security breach.
While this incident is alarming, it is only one of numerous similar events. Some other recent examples include:
- A leaked 2017 report from the UK’s National Cyber Security Centre stating that hackers were targeting a range of industrial control systems across energy and water industries.
- The announcement in April 2020, that Israel’s wastewater SCADA systems were experiencing concentrated cyber-attacks, likely from a nation state.
In an environment of increased cybersecurity threats, events like those outlined above should prompt you to reflect on whether sufficient controls are in place to prevent this type of attack on your organisation.
Factors that make water industry OT vulnerable to cyber attack
In our experience, there are a number of common and emerging features of OT security design that can lead to an increased risk of cybersecurity breaches. These security design features include:
- An increased use of remote systems for controlling, rather than just monitoring, operational technologies. While this allows organisations to achieve greater efficiencies, it can also drastically increase their cybersecurity risk if not implemented in a secure manner.
- While attacks are at their most dangerous when systems can be remotely controlled, manipulation of monitoring signals can also pose a significant danger. A hacker could, for example, suppress alerts to hide other malicious activities or prompt an organisation to take incorrect actions to mitigate fabricated emergencies.
- Industrial control networks with nodes sitting in remote areas with insufficient active monitoring to detect intrusions. Access to physical information technology (IT) and OT infrastructure can allow attackers to access sensitive systems directly, bypassing ‘gateway’ controls such as firewalls and segmented networks.
- Unlike their IT counterparts, OT environments are less frequently updated and can consist of many legacy systems and devices. Quite often updates are no longer being released, making it difficult to protect these systems, particularly against new and emerging threats.
- Transmission of data over unencrypted connections, especially wireless connections such as radio signals, may be hijacked to gain access to IT and OT environments.
- Insufficient separation of IT and OT networks, allowing breaches of one environment to spill over into the other.
While these technical considerations are important, organisations should also consider how their culture contributes to minimising or increasing cybersecurity risk.
Foster an inquisitive culture and ensure teams are aware of the risks
A common trend we have observed is that OT engineering teams are often focused on ‘keeping the lights on’ through maintaining service availability and dealing with known issues such as asset mismanagement or failure. Availability will always be a critical factor for OT teams, but the increase in security incidents in OT environments, combined with their integration across IT networks, requires organisations to take OT cybersecurity more seriously than in the past.
In contrast, IT departments are generally experienced with maintaining security while balancing availability and ease-of-use. IT teams are, however, not always in a position to share their practices with OT teams or don’t value availability of OT environments sufficiently. This means, that while an OT team’s cybersecurity framework should be reflective of an organisation’s broader cybersecurity policy and risk appetite, the nuances of industry-specific infrastructure frequently require industry-specific security frameworks.
Establish a plan to minimise cybersecurity risks in OT environments
To minimise the cybersecurity risks in water OT environments, organisations need to take a holistic view of their company’s cybersecurity strategy, planning and control, and how it sits across both the IT and OT environment. Further, ensuring your team has a culture of making security a priority as well as maintaining operational availability is critical. This is particularly important in system design and implementation projects where teams need to involve stakeholders from multiple departments.
Another important solution that organisations can consider are utility-specific security standards, such as NIST CSF, NIST 800-82 and/or ISA/IEC 62443. These specific standards will help ensure your cybersecurity framework addresses the specific risks posed in an OT environment.
Finally, organisations should consider cybersecurity a business risk with a people, process, and technology component, like any other business risk. Implement a strong, board level governance framework that regularly monitors this risk and undertake periodic assurance activities such as security reviews and penetration testing.
Getting the right frameworks in place now will ensure your organisation’s infrastructure is protected as best as possible against cyber-attacks. If you would like to discuss your organisation’s OT cybersecurity, contact one of our cybersecurity experts below.